Why states should push forward with cyber laws

The list of Democratic presidential candidates continues to grow, and three of those hopefuls offer backgrounds and legislative records that could help advance the issue of cybersecurity standards at the federal level.

Sen. Kamala Harris (D-Calif.) last year co-sponsored a bipartisan bill to improve cybersecurity at U.S. ports as well as the Secure Elections Act. Sen. Kirsten Gillibrand (D-N.Y.) teamed with Republican Sen. Lindsey Graham (R-S.C.) on legislation to push for a more rigorous investigation into Russian election interference. In addition, Sen. Elizabeth Warren (D-Mass.) introduced legislation in response to the Equifax data breach. Additionally, President Trump recently signed the SECURE Technology Act, which requires the Department of Homeland Security to establish a security vulnerability disclosure policy, a bug bounty pilot program, and set supply chain risk management standards.

In fact, according to The Washington Post, “all six U.S. senators that threw their hats in the ring for the Democratic nomination have co-sponsored bills aimed at protecting election systems against Russian hackers.”

At no other time has cybersecurity been at the forefront of so many federal legislative efforts and conversations. While it’s encouraging to see cybersecurity getting much-deserved attention from politicians seeking the highest office, it could be argued that these efforts are doomed to fail.

These recent cybersecurity initiatives are important and could contribute to strengthening our country’s ability to detect and mitigate cyberattacks against citizens, critical infrastructure or government systems. However, history has shown that standardizing cybersecurity practices at the federal level is difficult. The reasons are fairly simple. In the legislative branch, more than 80 groups claim some jurisdiction over cybersecurity matters. But despite outrage and hearings on the hill after major breaches, Congress has not passed new legislation. For instance, there is no current central federal mandate that offers protections for personal data.

Meanwhile, some federal agencies like DHS, the SEC, and the IRS forge ahead with security standards within their own agencies, yet the models and best practices aren’t being shared effectively with other federal agencies. The DHS’ new Cybersecurity and Infrastructure Security Agency recently demanded all federal agencies to take specific steps to protect the flow of global internet traffic through the Domain Name System. As of the time of this column, it’s not clear how successful that mandate has been.

The complexity in Congress and within the federal government prevents agile responses to cybersecurity concerns, and meaningful cybersecurity legislation languishes.

There is more encouraging progress across the country, however, at the state level, where regulation is being proposed with increasing regularity.

Last year, 35 states introduced more than 265 cybersecurity bills or resolutions targeting computer crimes, restricting public disclosure of sensitive security information and improving overall government security practices.

For example, Ohio has enacted a safe harbor law known as the Ohio Data Protection Act (2018 SB 220) that offers to help companies limit liabilities if they design and enforce policies that protect the security and confidentiality of their data. Under the law, they must guard against risks or hazards that threaten the integrity of their data and they must have measures in place to prevent unauthorized access.

California has passed its version of the European Union’s General Data Protection Regulation (GDPR). While somewhat of a lighter version of GDPR, the California Consumer Privacy Act gives consumers more control over how their data is collected, stored and shared, including the legal authority to tell Google and Facebook to delete their information.

Meanwhile, the Pennsylvania Supreme Court recently ruled that companies must protect their employees’ data or face legal damages if a breach occurs. At the time of the ruling, Pennsylvania Chamber of Commerce expressed concern that it would hurt the state’s businesses.

Many businesses might share this concern, but others rely on reasonable state-level privacy and security laws because it’s not feasible to wait for federal legislation that faces potentially insurmountable political hurdles.

Only a month later, four state senators in Massachusetts introduced a bill (S.D. 342) in January that would protect consumers’ biometric data and regulate its collection, a step that Illinois, Texas and Washington have already enacted. 

Soon, these kinds of cyber laws at the state level may even become mandatory. In February, Rep. Mike Rogers stated that he would consider requiring states to secure their election systems against hackers.

While these state laws focus mostly on data privacy, they spur policies and requirements that lead to more effective security and could help limit damage from attacks. State laws create a patchwork of measures that fill the void created by a lack of federal regulations that seems unlikely to come anytime soon. They also fill a need for certainty in how the government collaborates with the private sector on security and help companies learn from best practices that raise overall cybersecurity standards.

Businesses, their customers and their shareholders prefer certainty over hype, even if that certainty varies from state to state. Companies at least have an understanding of what’s expected of them through a blueprint of cybersecurity policies that have been vetted and enforced by others.

Moving forward, state leaders must continue to push the boundaries with their own cybersecurity laws and must work together to share best practices. Meanwhile, federal agencies would do well to see beyond the confines of their organization to promote more standardized versions of national cybersecurity regulations and guidelines. 

Chris Wysopal is Chief Technology Officer at Veracode, where he oversees technology strategy and information security. Prior to co-founding Veracode in 2006, Chris was vice president of research and development at security consultancy @stake, which was acquired by Symantec. In the 1990s, Chris was one of the original vulnerability researchers at The L0pht, a hacker think tank, where he was one of the first to publicize the risks of insecure software. He has testified to the U.S. Congress on the subjects of government security and how vulnerabilities are discovered in software. He is the author of The Art of Software Security Testing.